Heads up, Mastodon admins! A critical security vulnerability riddled Mastodon, allowing account takeover by an adversary. The developers patched the flaw with the latest release, urging users to update to the latest version as soon as possible.
Mastodon Vulnerability Allowed Account Takeover
As disclosed recently, a severe security vulnerability risked Mastodon users, allowing account takeover by an adversary.
According to the advisory shared on GitHub, the vulnerability existed due to insufficient origin validation, allowing an adversary to impersonate accounts by sending maliciously crafted payloads.
Due to a gap in validation of federated content in the affected Mastodon versions, attackers can craft payloads that impersonate remote federated accounts as-seen-from the affected server.
This vulnerability affected all Mastodon versions before v.3.5.17, 4.0.x versions, 4.1.x versions, and 4.2.x versions. The advisory listed this flaw, CVE-2024-23832, as a critical severity issue that received a CVSS score of 9.4. As detailed in the CVSS base metrics, exploiting the flaw didn’t require high privileges or user interaction.
Regarding the vulnerability impact, the advisory states that the flaw affects all remote users “as observed from a vulnerable Mastodon instance.” Moreover, it also affected the “deliverability of traffic from/to remote users of any software.”
Mastodon developers patched the vulnerability with versions 3.5.17, 4.0.13, 4.1.13, and 4.2.5. For now, Mastodon hasn’t shared details about the issue. Nonetheless, they pledge to reveal more about the matter in the coming days while going ahead with a brief disclosure for now. The developers deem it important to keep the details veiled to give Mastodon admins enough time to update to the patched versions and avoid potential attacks. Besides, with this step, they also aim to minimize the probable appearance of working exploits for the flaw. In addition, Mastodon also put up serve alerts for the admins regarding the version updates.
Mastodon is an open-source, decentralized communication platform that emerged as a potent X (formerly Twitter) alternative for users. It currently boasts roughly 12 million users that stay connected via 11,000 Mastodon instances.
Let us know your thoughts in the comments.